Embedded management system for a physical device having virtual elements

ABSTRACT

A single management facility in a virtualized system that facilitates the presentation of either a virtual element view or system view to a network management user depending upon the user&#39;s access rights is disclosed. The user interface presented to the user is modified based on the scope and type of access rights. The scope and type of access privileges afforded to the user of the virtualized system is found in a profile object that indicates the scope and type of user access established during the user login. The profile object is stored in an environment object that is created for each user at login. Each virtualized element in the system includes management information that is associated with the virtual element via a virtual identifier. The management information indicates the level of the user access privileges necessary to view the associated virtual element. Requests by a user to access management information associated with a virtual element are analyzed to determine if the access privileges specified in the user profile enable the user to access the virtual element and if so to perform the type of operation requested.

FIELD OF THE INVENTION

The illustrative embodiment of the present invention relates generallyto a physical device having virtual elements and more particularly to anembedded management system for managing the physical device and thevirtual elements within the physical device.

BACKGROUND

FIG. 1 shows an example of a traditional configuration for users tomanage access to servers and storage via network devices such as aswitch in a data center. In this example, clients 11A, 11B and 11C wishto gain access to services provided by respective groups of resources14A, 14B and 14C in the data center. Each of the groups of resources14A, 14B and 14C includes servers and storage. Thus, servers 16A andstorage 18A are part of group 14A, servers 16B and storage 18B are partof group 14B, and servers 16C and storage 18C are part of group 14C. Aseparate network device 12A, 12B and 12C is associated with each group14A, 14B and 14C and controls the flow of service requests and responsesfor the associated group. Each network device 12A, 12B and 12C is aseparate self-contained physical device and facilitates a client'saccess to the resources in the respective group for a user. Eachphysical device also has an independent network management interfacethat provides a network management user 10A, 10B and 10C with a systemview to manage the device. It should be noted that the term “user”appearing herein is used interchangeably with the term “networkmanagement user”.

This approach requires separate network devices 12A, 12B and 12C foreach of the logical groups 14A, 14B and 14C. These network devices 12A,12B and 12C can be quite costly and can present various configurationchallenges, especially if they are distinct types of devices.

One possible solution to this problem is virtualization. Virtualizationallows a single physical device to be logically partitioned so as tofunction as if it were multiple devices. Virtualization allowspartitioning of a device's resources but also presents managementchallenges. One such management challenge is to present a managementview that is akin to that used for managing an independent physicaldevice. In other words, the challenge is to present to the networkmanagement user a management view so that the user experiences eachvirtual element as if it were a physical device and also present anon-virtualized system view for the administrator/owner of the physicaldevice

SUMMARY OF THE INVENTION

The illustrative embodiment of the present invention provides amanagement facility that facilitates the presentation of either avirtual element view or system view to a network management userdepending upon the user's access rights. The user interface presented ismodified based on the scope and type of access rights of the networkmanagement user. The scope and type of access privileges afforded to theuser of the virtualized system is defined by a profile object whichindicates the scope and type of user access. A profile object isassociated with the user during log-in. Each virtualized element in thephysical device is uniquely distinguishable by an identifier. Themanagement information associated with a virtual element is indicated byits virtual element identifier. An environment object is created foreach user at login to store the profile object and the virtual elementidentifier. The virtual element identifier indicates the type and scopeof the user access privileges necessary to manage the associated virtualelement. Requests by a user to access management information associatedwith a virtual element are analyzed to determine if the accessprivileges specified in the user profile enable the user to access thevirtual element and if so to perform the type of operation requested.

In one embodiment, a physical device apparatus in a network includesmultiple virtual elements configured on the physical device. Eachcollection of management information is associated with a virtualelement. The collection of management information includes an accessscope indicating a required user access level needed to access theinformation. The physical device apparatus also includes at least oneenvironment object associated with a user interfaced with the device.The environment object includes a collection of user profile informationand the identifier of the virtual element the user is authorized toaccess. The physical device apparatus further includes a managementfacility that controls the access of a user to a collection ofmanagement information associated with one of the virtual elements.

In another embodiment in a network, a method of controlling access to aplurality of virtual elements includes the step of providing a physicaldevice with multiple virtual elements configured thereon. Eachcollection of management information is associated with a virtualelement. The collection of management information includes an accessscope indicating a required user access level needed to access theinformation. The method further includes instantiating an environmentobject associated with a user interfaced with the device. Theenvironment object includes a collection of user profile informationassociated with the user and the identifier of the virtual switch forwhich the user is authorized. The method also requests access for a userto a collection of the management information for a virtual element anddetermines whether to grant the request based on the user profileinformation and the collection of management information.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 (Prior art) depicts an example of a conventional configurationfor a data center wherein multiple network devices are employed;

FIG. 2 depicts an example of a configuration for a data center inaccordance with the illustrative embodiment of the present invention;

FIG. 3 provides a logical view of the scoping provided in theillustrative embodiment of the present invention;

FIG. 4 illustrates a number of the components, including the managementfacility and MIBs, found in a physical device used by the illustrativeembodiment of the present invention;

FIG. 5 depicts an example of an environment object used in theillustrative embodiment of the present invention;

FIG. 6 is a flow chart illustrating the steps that are performed in theillustrative embodiment of the present invention when a request of themanagement facility is received;

FIG. 7 is a flow chart illustrating the steps that are performed todetermine what is depicted on a user interface of the managementfacility; and

FIG. 8 is a flow chart illustrating the steps that are performed totransform content contained in an XML management schema file.

DETAILED DESCRIPTION

The illustrative embodiment of present invention provides a managementfacility for managing a physical device that is partitioned intomultiple virtual elements. Each virtual element represents a logicalpartition of the resources of the physical device and, in general,operates as if it were a distinct physical device. The managementfacility provides management of resources on a system-wide basis as wellas management on a per virtual element basis. Management information foreach virtual element is tagged with an identifier that associates themanagement information with the virtual element. The management facilityprovides scoping to appropriately limit the scope of managementinformation that may be accessed by a user. Thus, for example, a userthat should only have access to management information for a specificvirtual element is only permitted access to the management informationfor the specified virtual element. In contrast, a user that hassystem-wide privileges is permitted to access all of the managementinformation, including both management information for the virtualelements and management information for the system. An interface ispresented to the user that is scoped based on access rights and retainsthe look and feel of conventional interfaces to physical devices.

In the illustrative embodiment, the management information is alsoaccessible via SNMP. Thus, the management information may be describedin Management Information Bases (MIBs). The management information isorganized into a group of scalar and table objects. The MIBs may becreated automatically, partially or wholly, from the application dataand commands that are stored in a predefined configuration file format(as will be described in more detail below). In one embodiment, theapplication data and commands are stored in an XML format that istransformed into MIBs. The application data and commands may also betransformed to generate documentation, such as documentation for CommandLine Interface (CLI) commands. Still further, the application datacommands may be transformed into a Simple Management Framework (SMF)text file or other proprietary or well-known formats that may be used bymanagement applications.

The illustrative embodiment of the present invention employs a number ofprofiles that define access privileges (i.e. read-only, read-write, noaccess privileges, or a combination thereof) for users and the scopes towhich users are limited (i.e. limits to a particular virtual element orto the entire system). Each user has an associated profile stored in anenvironment object. A number of different profiles may be provided bythe management facility, and the profiles are dynamic in that they maybe modified, added (i.e. new profiles defined), or deleted. The identityof the virtual element that the user wishes to access is also stored inthe environment object.

FIG. 2 shows an example configuration wherein a physical device 20 isused in the illustrative embodiment of the present invention. It shouldbe noted that the configuration shown in FIG. 2 differs from that shownin FIG. 1 in that the separate network devices 12A, 12B and 12C arereplaced with a single physical device 20 in FIG. 2. The single physicaldevice 20 includes virtual elements 22A, 22B and 22C. These virtualelements act as separate virtual devices for directing communicationsbetween the clients 11A, 11B and 11C and the respective resource groups14A, 14B and 14C. The network management users 10A, 10B and 10C arepresented with a management view that is consistent with the interfacepresented by the separate physical devices although they are onlyviewing and managing their respective virtual elements. A networkmanagement user 10D with administrator privileges is presented with aview of the entire physical device 20.

It should be appreciated that the virtual elements may take many forms.For example the virtual elements may be virtual switches that arepartitions of a physical switch or a server whose resources arepartitioned into multiple virtual servers. In addition, the virtualelements may be virtual routers as opposed to virtual switches. Thoseskilled in the art will appreciate that the present invention is notlimited to virtual elements that are either virtual switches or virtualrouters; rather the present invention may be practiced with othervarieties of virtual elements that constitute logical partitions of theresources of a physical device.

FIG. 3 depicts an example of the scoping that may be provided by theillustrative embodiment of the present invention. System view 30encompasses management information 32A, 34A and 36A for each of thevirtual elements views 32, 34 and 36 as well as system managementinformation 38 (i.e. non-virtualized attributes). Each virtual elementview 32, 34 and 36 contains management information 32A, 34A and 36A thatis particular to a given virtual element 32, 34 and 36. The managementinformation 32A, 34A and 36A in these virtual element views 32, 34 and36 has been tagged with a virtual element identifier 32B, 34B and 36B todesignate the information as belonging to the associated virtual elementviews and may be further embedded as shown in FIG. 3. For example,virtual element view 40 is a subset of virtual element view 32 andcontains information for a virtual element that is contained in anothervirtual element. For instance, the virtual element view 32 may containmanagement information that is associated with a specific virtualswitch, and the virtual switch may include a virtual router. The virtualelement view 40 is associated with the virtual router.

FIG. 4 depicts the management facility 50 used by the illustrativeembodiment of the present invention in greater detail. A physical device20 includes a management facility 50 and is able to manage resources onboth a per virtual element basis as well as on a system-wide basis.Users may interact with the management facility 50 via user interfacessuch as a Command Line Interface (CLI) 54 or a Graphical User Interface(GUI) 56. The management facility 50 also supports programmaticinterfaces 58 such as SNMP and XML where requests are receivedprogrammatically. Those skilled in the art will recognize thatadditional types of interfaces may be deployed without departing fromthe scope of the present invention.

When a user seeks to access management information 52 via one of theseinterfaces 54, 56 and 58, the management facility 50 must determinewhether the user is permitted the requested access. The managementfacility 50 maintains an environment object 60 (depicted in FIG. 5) foreach user in the illustrative embodiment. The environment objectincludes a user profile 62. The environment object 60 also includes theidentities of the virtual element(s) that the user is authorized toaccess 64.

As was mentioned above, user profiles identify the type of access thatis permitted to the user and the scope of access that is permitted to auser. The following table identifies an example of some of the userprofiles and associated access rights and scopes that are associatedwith the user profile.

User Profile Privileges SystemAdmin Read and write access for allsettings for the system, including all virtual elements SystemOperatorRead-only access for all settings for the system, including all virtualelements VirtualElementAdmin Read and write access for all settings thataffect a specific virtual element VirtualElementOperator Read-onlyaccess to all settings that affect a specific virtual element

It should be appreciated that the user profiles are extensible andmodifiable. New user profiles may be created and user profiles may bedeleted. In addition, user profiles may be modified as needed. Thus, theuser profiles are dynamic.

Those skilled in the art will appreciate that the use of the environmentobject is not necessary to practice the present invention. Inalternative implementations, the profile information and identity of thevirtual elements that the user seeks to access may be stored separatelyand in different formats. The environment object constitutes only anexemplary implementation.

FIG. 6 is a flow chart illustrating the steps that are performed when auser submits a management request to the management facility 50 thatrequires access to management information 52. Initially, the usersubmits the request (Step 70). The user may submit the request via CLI54, via GUI 56 or via programmatic interface 58. The management facility50 examines the request and determines the virtual element that the userwishes to access and the type of access required for the request (Step72). A check is made to determine whether the user is permitted toaccess the identified virtual element (Step 74). If the user is notpermitted, then access to the associated management information isdenied by refusing to perform the request (Step 76). If the user ispermitted to access the identified virtual element, a check is madewhether the user is permitted the type of access that is requested(i.e., read access, write access, etc.) (Step 78). If the user ispermitted the type of access, then access is granted (Step 80) and therequest is acted upon within the scope of the virtual element. If,however, the user is not permitted the type of access, the request isdenied (Step 76).

The management facility 50 also provides some additional help when theuser interface 54 or 56 advertises/indicates actions that are consistentwith the scope of the granted user access. The management facility 50only displays options on the UI that are consistent with the type ofaccess and the scope of access for which the user is authorized. FIG. 7is a flow chart illustrating the steps that are performed in customizingthe UI to facilitate the display of only authorized options. The processbegins when the user logs into the UI (step 82). This may entailaccessing a web browser via a web browser and typing in a user ID andpassword. A determination is then made of a scope and type of accessthat is permitted for the user (Step 84). The user interface is thencustomized to only display options that are available which areconsistent with the scope and type of access that are permitted for theuser (Step 86).

Although the examples contained herein have discussed the use of themanagement facility in contact with a plurality of virtual elements, itshould be understood that the illustrative embodiment of the presentinvention might also be applied to other forms of virtualization forelectronic devices. The illustrated embodiment of the present inventionmay be extended to include any virtual software entity created on aphysical device that needs to be contacted through a management system.

The illustrative embodiment of the present invention provides thecapability of taking management data in a specified file format andtransforming it to generate MIBS. FIG. 8 provides an example of thesteps that are performed to transform the management data. Initially, afile is provided that contains management data and commands (Step 100).The file is then validated against schema by applying an XML style sheet(Step 102). Once the syntax and contents have been validated, the XMLdocument is transformed into one or more MIBs (Step 104). A number ofconventionally available tools may be employed to perform thistransformation. In addition, source code may be generated from the MIB(Step 106). The source code is used to fill in data structures for usein a SNMP agent in the management facility 50.

The data commands in the file holding the management data may also betransformed to generate an SMF text file (step 108). The SMF text filecreated in step 108 then may be passed through a code generator togenerate source code in C++ or another language (Step 110). This sourcecode fills in data structures for use in the management facility 50. Inparticular, it fills in values that are used by the CLI, the webinterface and the XML interface. This enables the values to be put in aform that can be used by the programmatic and presentation interfaces.

The management data and commands may also be used to generatedocumentation for the CLI commands and to generally provide online help(Step 112).

Since certain changes may be made without departing from the scope ofthe present invention, it is intended that all matter contained in theabove description or shown in the accompanying drawings be interpretedas illustrative and not in a literal sense. Practitioners of the artwill realize that the system configurations depicted and describedherein are examples of multiple possible system configurations that fallwithin the scope of the current invention. Likewise, the sequences ofsteps discussed herein are examples and not the exclusive sequence ofsteps possible within the scope of the present invention.

1-37. (canceled)
 38. A physical device apparatus in a network,comprising: a plurality of virtual elements configured on said physicaldevice, each said virtual element associated with a collection ofmanagement information for said virtual element, said collection ofmanagement information including an access scope indicating a requireduser access level needed to access said information, wherein saidcollection of management information is associated with a virtualelement identifier; at least one environment object associated with auser interfaced with said device, said environment object including acollection of user profile information; and a management facility, saidmanagement facility controlling the access of a user to a collection ofmanagement information associated with at least one of said virtualelements.
 39. The apparatus of claim 38 wherein said management facilityprovides one of a system view and virtual element view to a user basedon said user profile, said system view including a view of a pluralityof said virtual elements.
 40. The apparatus of claim 38, comprisingfurther: a user interface, said user interface modified based on thescope and type of access privileges accorded to said user.
 41. Theapparatus of claim 38 wherein access to said management information isseeped based upon the access privileges accorded a user.
 42. Theapparatus of claim 38 wherein said collection of user profileinformation defines the type of access privileges of said user.
 43. Theapparatus of claim 38 wherein said collection of user profileinformation defines the scope of access privileges of said user.
 44. Theapparatus of claim 43 wherein said scope of access privileges of theuser is set to one of a specified virtual element, a subset of virtualelements and unlimited access to management information for all of saidvirtual elements on said physical device.
 45. The apparatus of claim 1further comprising: a schema for management data and commands stored inan XML (Extensible Markup Language) file.
 46. The apparatus of claim 10wherein data in said XML file is used to create one of a MIB (ManagementInformation Base) file and a SMF (Simple Management Framework) file. 47.In a network, a method of controlling access to a plurality of virtualelements, said method comprising: providing a physical device with aplurality of virtual elements configured thereon, each said virtualelement associated with a collection of management information for saidvirtual element, said collection of management information including anaccess scope indicating a required user access level needed to accesssaid information, wherein said collection of management information isassociated with a virtual element identifier; instantiating anenvironment object associated with a user interfaced with said device,said environment object including a collection of user profileinformation associated with said user; requesting access for a user to acollection of said management information for a virtual element; anddetermining whether to grant said request based on said user profile,information and said collection of management information.
 48. Themethod of claim 47 wherein said request is contained in a CLI (CommandLine Interface)-generated request, web-based request andprogrammatically generated request.
 49. The method of claim 47, furthercomprising: providing a management facility facilitating one a of asystem view and virtual element view to said user based on said userprofile information with said user, said system view including a view ofa plurality of said virtual elements.
 50. The method of claim 47 whereinsaid collection of user profile information defines the type of accessprivileges of said user.
 51. The method of claim 47 wherein saidcollection of user profile information defines the scope of accessprivileges of said user.
 52. The method of claim 51 wherein the scope ofaccess privileges of the user is set to one of a specified virtualelement, a subset of virtual elements and unlimited access toconfiguration data of any virtual element configured on said physicaldevice.
 53. The method of claim 47, further comprising: allowing a userto access said collection of management information associated with avirtual element based on a response to the request.
 54. The method ofclaim 47, further comprising: denying a user access to said collectionof management information associated with a virtual element based on aresponse to the request.
 55. The method of claim 47, further comprising:tagging each collection of management information with a virtual elementidentifier to associate each collection of management information with aparticular virtual element.
 55. The method of claim 47, furthercomprising: providing a user interface, said user interface modifiedbased on the scope and type of access privileges accorded said user. 56.In a network including a physical device holding a medium, said mediumholding executable stops for a method of controlling access to aplurality of virtual elements, said method comprising: providing aphysical device with a plurality of virtual elements configured thereon,each said virtual element associated with a collection of managementinformation for said virtual element, said collection of managementinformation including an access scope indicating a required user accesslevel needed to access said information, wherein said collection ofmanagement information is associated with a virtual element identifier;instantiating an environment object associated with a user interfacedwith said device, said environment object including a collection of userprofile information associated with said user; requesting access for auser to a collection of said management information for a virtualelement; and determining whether to grant said request based on saiduser profile information and said collection of management information.57. The medium of claim 25 wherein said request is contained in a CLI(Command Line Interface)-generated request, web-based request andprogrammatically generated request.